Chrome Version : 19.0.1084.46 m
URLs (if applicable) : http://www.enhanceie.com/test/clickjack/Other browsers tested:Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:Not tested
Firefox 4.x: Failed, described in https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header, this is not supported
IE 7/8/9:Passed in IE9
What steps will reproduce the problem?
1.visit http://www.enhanceie.com/test/clickjack/, check the 8th section with title include "A same-origin victim IFRAME, which is configured to ALLOW-FROM a different origin only"
What is the expected result?
The iframe content is blocked
What happens instead?
the iframe content show correctly
Please provide any additional information below. Attach a screenshot ifpossible.

Any news on that subject? Here is an alternative test scenario: http://erlend.oftedal.no/blog/tools/xframeoptions/
The spec is already implemented fully in IE9 and Firefox 18, so it would be great for Webkit browsers to close the implementation gap as well.

Getting the following in console : Refused to display 'xxxx' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors *.twitter.com".
However the content is still shown in the iframe, this is on a localhost web server.

WONTFIXing this bug. I don't believe we should support `Allow-From` with X-Frame-Options' broken checking behavior. 'frame-ancestors' is shipping in both Chrome and Firefox, and is the right way to support this functionality.